| 1. A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.
(Source: RFC 2828)
2. Set rules internal to an organizational unit that regulate how this unit protects the management of its assets conform to specified organizational objectives within its legal and cultural context.
(Source: ISO/IEC 15408)
3. The objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent.
(Source: ISA99) |